All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chris Wilson <chris@chris-wilson.co.uk>
To: intel-gfx@lists.freedesktop.org
Cc: tvrtko.ursulin@intel.com, joonas.lahtinen@linux.intel.com,
	mika.kuoppala@linux.intel.com,
	Chris Wilson <chris@chris-wilson.co.uk>,
	Antonio Argenziano <antonio.argenziano@intel.com>,
	stable@vger.kernel.org
Subject: [PATCH 03/22] drm/i915: Sanity check mmap length against object size
Date: Mon, 18 Mar 2019 09:51:45 +0000	[thread overview]
Message-ID: <20190318095204.9913-3-chris@chris-wilson.co.uk> (raw)
In-Reply-To: <20190318095204.9913-1-chris@chris-wilson.co.uk>

We assumed that vm_mmap() would reject an attempt to mmap past the end of
the filp (our object), but we were wrong.

Reported-by: Antonio Argenziano <antonio.argenziano@intel.com>
Testcase: igt/gem_mmap/bad-size
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Antonio Argenziano <antonio.argenziano@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: stable@vger.kernel.org
---
 drivers/gpu/drm/i915/i915_gem.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index f4591a143c84..41d96414ef18 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1639,8 +1639,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 	 * pages from.
 	 */
 	if (!obj->base.filp) {
-		i915_gem_object_put(obj);
-		return -ENXIO;
+		addr = -ENXIO;
+		goto err;
+	}
+
+	if (range_overflows(args->offset, args->size, (u64)obj->base.size)) {
+		addr = -EINVAL;
+		goto err;
 	}
 
 	addr = vm_mmap(obj->base.filp, 0, args->size,
@@ -1654,8 +1659,8 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 		struct vm_area_struct *vma;
 
 		if (down_write_killable(&mm->mmap_sem)) {
-			i915_gem_object_put(obj);
-			return -EINTR;
+			addr = -EINTR;
+			goto err;
 		}
 		vma = find_vma(mm, addr);
 		if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
@@ -1673,12 +1678,10 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 	i915_gem_object_put(obj);
 
 	args->addr_ptr = (u64)addr;
-
 	return 0;
 
 err:
 	i915_gem_object_put(obj);
-
 	return addr;
 }
 
-- 
2.20.1


  parent reply	other threads:[~2019-03-18  9:52 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-18  9:51 [PATCH 01/22] drm/i915: Flush pages on acquisition Chris Wilson
2019-03-18  9:51 ` [PATCH 02/22] drm/i915: Move intel_engine_mask_t around for use by i915_request_types.h Chris Wilson
2019-03-18 10:21   ` Tvrtko Ursulin
2019-03-18 10:40     ` Chris Wilson
2019-03-18 10:48       ` Tvrtko Ursulin
2019-03-18 13:57         ` Chris Wilson
2019-03-18  9:51 ` Chris Wilson [this message]
2019-03-25  0:38   ` [PATCH 03/22] drm/i915: Sanity check mmap length against object size Sasha Levin
2019-03-18  9:51 ` [PATCH 04/22] drm/i915: Hold a ref to the ring while retiring Chris Wilson
2019-03-18 10:31   ` Tvrtko Ursulin
2019-03-18 10:37     ` Chris Wilson
2019-03-18 10:46       ` Tvrtko Ursulin
2019-03-18 10:56         ` Chris Wilson
2019-03-18 13:25           ` Tvrtko Ursulin
2019-03-18  9:51 ` [PATCH 05/22] drm/i915: Lock the gem_context->active_list while dropping the link Chris Wilson
2019-03-18 10:39   ` Tvrtko Ursulin
2019-03-18 10:45     ` Chris Wilson
2019-03-18 10:50       ` Tvrtko Ursulin
2019-03-18 10:54   ` Chris Wilson
2019-03-18  9:51 ` [PATCH 06/22] drm/i915: Hold a reference to the active HW context Chris Wilson
2019-03-18 12:54   ` Tvrtko Ursulin
2019-03-18 12:56     ` Chris Wilson
2019-03-18 12:57       ` Chris Wilson
2019-03-18 13:29         ` Tvrtko Ursulin
2019-03-18  9:51 ` [PATCH 07/22] drm/i915: Stop needlessly acquiring wakeref for debugfs/drop_caches_set Chris Wilson
2019-03-18 13:08   ` Tvrtko Ursulin
2019-03-18  9:51 ` [PATCH 08/22] drm/i915/selftests: Provide stub reset functions Chris Wilson
2019-03-18  9:51 ` [PATCH 09/22] drm/i915: Switch to use HWS indices rather than addresses Chris Wilson
2019-03-18 13:21   ` Tvrtko Ursulin
2019-03-18  9:51 ` [PATCH 10/22] drm/i915: Separate GEM context construction and registration to userspace Chris Wilson
2019-03-18 16:22   ` Tvrtko Ursulin
2019-03-18 16:30     ` Chris Wilson
2019-03-18 16:32       ` Chris Wilson
2019-03-18 16:46         ` Tvrtko Ursulin
2019-03-18  9:51 ` [PATCH 11/22] drm/i915: Introduce a mutex for file_priv->context_idr Chris Wilson
2019-03-18 16:28   ` Tvrtko Ursulin
2019-03-18 16:35     ` Chris Wilson
2019-03-18 16:45       ` Tvrtko Ursulin
2019-03-18 21:10         ` Chris Wilson
2019-03-18  9:51 ` [PATCH 12/22] drm/i915: Introduce the i915_user_extension_method Chris Wilson
2019-03-18  9:51 ` [PATCH 13/22] drm/i915: Create/destroy VM (ppGTT) for use with contexts Chris Wilson
2019-03-18  9:51 ` [PATCH 14/22] drm/i915: Extend CONTEXT_CREATE to set parameters upon construction Chris Wilson
2019-03-18  9:51 ` [PATCH 15/22] drm/i915: Allow contexts to share a single timeline across all engines Chris Wilson
2019-03-18  9:51 ` [PATCH 16/22] drm/i915: Allow userspace to clone contexts on creation Chris Wilson
2019-03-18  9:51 ` [PATCH 17/22] drm/i915: Allow a context to define its set of engines Chris Wilson
2019-03-18  9:52 ` [PATCH 18/22] drm/i915: Extend I915_CONTEXT_PARAM_SSEU to support local ctx->engine[] Chris Wilson
2019-03-18  9:52 ` [PATCH 19/22] drm/i915: Load balancing across a virtual engine Chris Wilson
2019-03-18  9:52 ` [PATCH 20/22] drm/i915: Extend execution fence to support a callback Chris Wilson
2019-03-18  9:52 ` [PATCH 21/22] drm/i915/execlists: Virtual engine bonding Chris Wilson
2019-03-18  9:52 ` [PATCH 22/22] drm/i915: Allow specification of parallel execbuf Chris Wilson
2019-03-18 17:10 ` ✗ Fi.CI.CHECKPATCH: warning for series starting with [01/22] drm/i915: Flush pages on acquisition Patchwork
2019-03-18 17:20 ` ✗ Fi.CI.SPARSE: " Patchwork
2019-03-18 17:36 ` ✗ Fi.CI.BAT: failure " Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190318095204.9913-3-chris@chris-wilson.co.uk \
    --to=chris@chris-wilson.co.uk \
    --cc=antonio.argenziano@intel.com \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=joonas.lahtinen@linux.intel.com \
    --cc=mika.kuoppala@linux.intel.com \
    --cc=stable@vger.kernel.org \
    --cc=tvrtko.ursulin@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.